4

I have created a php editor using file function, where users can run code online and get result on the same page.

executephp5.php

<form action="<?php echo $_SERVER['PHP_SELF'];?>"method="post">
  <b>Write your code here</b>
  <textarea name="code"></textarea>
  <input type="submit"value="Run code">
</form>
<?php
$cd=stripslashes($_POST['code']);
#dont write empty textarea
if(empty($cd)) {
  echo "";
} else {
  $file=fopen("demo.php","w");
  echo fwrite($file, $cd);
  fclose($file);
}
?>

<b>Results:</b>
<hr>
<?php
  error_reporting(E_ALL);
  include "demo.php";
?>

demo.php is the target file it is updated by the form.

This all works as expected. My problem is that I want to disable all file, directory, mail() and ftp functions for this editor so that users can not crash the site.

Is there any way to disable those functions only for my editor?

Somnath Muluk
  • 55,015
  • 38
  • 216
  • 226
Amit Verma
  • 40,709
  • 21
  • 93
  • 115
  • 1
    You can start by locking down most things through the `php.ini`, if you own the server (hopefully linux), you could lock that down in it's own jail with no root access/etc/etc. It'd be worth looking at how [TehPlayground.com](http://tehplaygroud.com) do it, here's their [Repo](https://github.com/thesilvervestgroup/tehplayground/) – Darren Dec 01 '15 at 06:01
  • 3
    Answer is identical to http://stackoverflow.com/questions/3115559/exploitable-php-functions – apscience Dec 01 '15 at 06:02
  • 1
    use `disable_functions` in ini file. http://php.net/manual/en/ini.core.php#ini.disable-functions – Jigar Dec 01 '15 at 06:27

1 Answers1

2

You can pass in disable_functions, i.e "Comma separated list of functions to disable within the sandbox sub-interpreter."

Check Runkit_Sandbox. You should make editor available as sandbox.

Somnath Muluk
  • 55,015
  • 38
  • 216
  • 226